Context Navigation

← Previous Ticket
Next Ticket →

#152 closed defect (fixed)

segfault when try_files if used

Reported by:	Eugene Pimenov	Owned by:	somebody
Priority:	major	Milestone:
Component:	nginx-core	Version:	1.1.x
Keywords:	try_files	Cc:
uname -a:	Darwin Eugene-Pimenovs-MacBook-Pro.local 11.3.0 Darwin Kernel Version 11.3.0: Thu Jan 12 18:47:41 PST 2012; root:xnu-1699.24.23~1/RELEASE_X86_64 x86_64 i386 MacBookPro8,2 Darwin
nginx -V:	nginx version: nginx/1.1.19 built by gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.9.00) configure arguments: --with-pcre=../../nginx/pcre/pcre-8.30

Description

nginx 1.1.19 introduce a segfault when try_files is used.

Config:

    server {
        listen       8080;
        server_name  localhost;

        try_files /system/maintenance.html $uri/index.html $uri.html $uri @app;

        location @app {
            return 502;
        }
    }

url: http://localhost:8080/sync_sessions/f908072de388e9bdfcde95f24e12b47e72cae888%2029

backtrace:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_c.dylib             	0x00007fff8fc45ce2 memmove$VARIANT$sse42 + 37
1   nginx                         	0x000000010ff104ce ngx_http_core_try_files_phase + 574 (ngx_http_core_module.c:1262)
2   nginx                         	0x000000010ff0e499 ngx_http_handler + 281 (ngx_http_core_module.c:877)
3   nginx                         	0x000000010ff149ed ngx_http_process_request + 157 (ngx_http_request.c:1857)
4   nginx                         	0x000000010ff132c4 ngx_http_process_request_line + 1044 (ngx_http_request.c:725)
5   nginx                         	0x000000010ff07846 ngx_kqueue_process_events + 406 (ngx_kqueue_module.c:684)
6   nginx                         	0x000000010feffe49 ngx_process_events_and_timers + 185 (ngx_event.c:248)
7   nginx                         	0x000000010ff06239 ngx_worker_process_cycle + 249 (ngx_process_cycle.c:806)
8   nginx                         	0x000000010ff0478f ngx_spawn_process + 767 (ngx_process.c:205)
9   nginx                         	0x000000010ff060a7 ngx_start_worker_processes + 151 (ngx_process_cycle.c:365)
10  nginx                         	0x000000010ff0508a ngx_master_process_cycle + 346 (ngx_process_cycle.c:137)
11  nginx                         	0x000000010feeb173 main + 2547 (nginx.c:410)
12  nginx                         	0x000000010fee9c64 start + 52

It tries to copy memory into an unallocated buffer. When it checks for length it sets prealloc to 0, and then it skips allocating a buffer all together.

Can reproduce on debian squeeze (they pushed 1.1.19 to backports, sigh) and Mac OS X 10.7.3

Change History (3)

comment:1 by Maxim Dounin, 13 years ago

In [4601/nginx]:

Fixed segfault with try_files (ticket #152).

The problem occured if first uri in try_files was shorter than request uri,
resulting in reserve being 0 and hence allocation skipped. The bug was
introduced in r4584 (1.1.19).

comment:2 by Maxim Dounin, 13 years ago

Fix committed, thanks.

comment:3 by Maxim Dounin, 13 years ago

Resolution:	→ fixed
Status:	new → closed

Note: See TracTickets for help on using tickets.

Download in other formats: